Restrict access to local storlet/dependency files

Now swift and storlet daemon inside containers run with consistent uid so we don't need group/other permissions. Also chown should be executed before actual file content is written, so that the content is not read by a different user. Closes-Bug: #2047723 Change-Id: I7790e51556875be1fc6438d1e2c599b693ca3b5b
openstack · Jan 20, 2024 · 5ad5880 · 5ad5880
1 parent 9aa8ab2
commit 5ad5880
Showing 1 changed file with 8 additions and 7 deletions.
diff --git a/storlets/gateway/gateways/docker/gateway.py b/storlets/gateway/gateways/docker/gateway.py
@@ -279,7 +279,7 @@ def bring_from_cache(self, obj_name, sreq, is_storlet):
             get_func = sreq.file_manager.get_dependency
 
         if not os.path.exists(cache_dir):
-            os.makedirs(cache_dir, 0o755)
+            os.makedirs(cache_dir, 0o700)
 
         # cache_target_path is the actual object we need to deal with
         # e.g. a concrete storlet or dependency we need to bring/update
@@ -312,16 +312,17 @@ def bring_from_cache(self, obj_name, sreq, is_storlet):
             # bring the object from storge
             data_iter, perm = get_func(obj_name)
 
+            if perm:
+                perm = int(perm, 8) & 0o700
+            else:
+                perm = 0o600
+
             # TODO(takashi): Do not directly write to target path
             with open(cache_target_path, 'wb') as fn:
+                os.chmod(cache_target_path, perm)
                 for data in data_iter:
                     fn.write(data)
 
-            if not is_storlet:
-                if not perm:
-                    perm = '0600'
-                os.chmod(cache_target_path, int(perm, 8))
-
         # The node's local cache is now updated.
         # We now verify if we need to update the
         # Docker container itself.
@@ -334,7 +335,7 @@ def bring_from_cache(self, obj_name, sreq, is_storlet):
         docker_target_path = os.path.join(docker_storlet_path, obj_name)
 
         if not os.path.exists(docker_storlet_path):
-            os.makedirs(docker_storlet_path, 0o755)
+            os.makedirs(docker_storlet_path, 0o700)
             update_docker = True
         elif not os.path.isfile(docker_target_path):
             update_docker = True